Wednesday, October 29, 2025
Personal Access Tokens
We've just released Personal Access Tokens (PATs) for Suga. Suga Personal Access Tokens enable secure, programmatic access to Suga resources, making it easier to integrate Suga into your CI/CD pipelines and automated workflows.
What Are Personal Access Tokens?
Personal Access Tokens are an alternative to passwords for authenticating with Suga when using the CLI or API. They provide a secure way to automate infrastructure deployments without requiring interactive login flows.
Think of PATs as specialized credentials designed specifically for automation. They carry your permissions and can perform most actions you can, with a few important restrictions to keep your account secure.
Token Uses
With Personal Access Tokens, you can:
- Authenticate the Suga CLI in CI/CD, to build and infrastructure from GitHub Actions, GitLab CI, CircleCI, Jenkins, etc.
- Make direct API calls to Suga services, to build custom integrations and tooling
- Automate workflows by skipping interactive device authorization flows for automation
For security, tokens cannot be used to manage other tokens or access the Suga Agent chat API. For AI-assisted development in automation, use the Suga CLI MCP server instead.
Creating Tokens
Getting started is straightforward:
- Navigate to Settings > Personal Access Tokens in the Suga dashboard
- Click Generate Token
- Provide a descriptive name (like "GitHub Actions CI" or "Production Deploy")
- Select an expiration period
- Copy your token immediately - it's shown only once
We recommend choosing the shortest expiration that meets your needs. For long-term automation, use 90-day tokens with a rotation process rather than tokens that never expire.
CI/CD Integration
Personal Access Tokens are designed to work effortlessly with your existing CI/CD platform. Simply set the SUGA_ACCESS_TOKEN environment variable, and the Suga CLI automatically authenticates:
export SUGA_ACCESS_TOKEN="your-token-here"
suga build
Here's a GitHub Actions example:
name: Deploy with Suga
on:
push:
branches: [main]
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install Suga CLI
run: |
curl -sSL https://addsuga.com/install | sh
echo "$HOME/.suga/bin" >> $GITHUB_PATH
- name: Build and Deploy
env:
SUGA_ACCESS_TOKEN: ${{ secrets.SUGA_ACCESS_TOKEN }}
run: suga build
We provide detailed setup guides for GitHub Actions, GitLab CI, CircleCI, Jenkins, and other platforms in our CI/CD Authentication documentation.
Best Practices
Security is paramount when working with access tokens. Here are our recommendations:
- Treat tokens like passwords and never commit them to version control
- Store tokens securely, using your CI/CD platform's secrets management (GitHub Secrets, GitLab CI/CD Variables, etc.)
- Use descriptive names to make tokens easy to identify and audit
- Set appropriate expiration, choose the shortest duration that works for your use case
- Rotate regularly, by regenerating tokens periodically, even before expiration
- Revoke unused tokens
- Use different tokens for different purposes
- Monitor usage, by reviewing active tokens and their last-used timestamps in Settings
If a token is compromised, revoke it immediately from the Personal Access Tokens settings page. Revoked tokens are invalidated instantly and cannot be restored.
API Access
Beyond the CLI, Personal Access Tokens work seamlessly with the Suga API as Bearer tokens:
curl -H "Authorization: Bearer your-token-here" \
https://app.addsuga.com/api/teams/{team}/platforms
This enables you to build custom integrations, dashboards, and tooling around Suga's infrastructure capabilities.
Get Started
Personal Access Tokens are available now for all Suga users. Head to your team's Settings page to create your first token and start automating your infrastructure workflows.
For detailed guidance, check out our documentation:
As always, we'd love to hear your feedback and learn how you're using Personal Access Tokens in your workflows.